ok I see, the server on 10.10.10.0/24 does _not_ have a route back to the firewall
In that case, you will need to treat your server network as if it is 'the internet' and perform source NAT
from 'users' to 'servers' sourcenat 10.10.10.9
this will allow your servers to reply to your connections without needing a static route in their own routing table (route add 10.0.0.0 mask 255.255.255.0 10.10.10.2 -p)
you'll need to add a security policy so only 10.0.0.9 is allowed to connect to 10.10.10.0/24 (or the individual IPs of the servers)
here's another link to that article: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK (your issue does not require U-turn)
Thank you so much for staying with me to help me with this. The link to the article point me to "How to configure U-Tun NAT" however you also stated that I do not need U-Turn so I just want to make sure this is a correct article.
This article relates to the question asked by adiazm
Your issue is different and requires regular source NAT
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!